IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec3-guidance-02.txt

Paul Vixie <paul@redbarn.org> Wed, 23 February 2022 00:12 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDD833A0962 for <dnsop@ietfa.amsl.com>; Tue, 22 Feb 2022 16:12:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.813
X-Spam-Level:
X-Spam-Status: No, score=-7.813 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.714, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redbarn.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ECrhIXevmTNe for <dnsop@ietfa.amsl.com>; Tue, 22 Feb 2022 16:12:43 -0800 (PST)
Received: from util.redbarn.org (util.redbarn.org [24.104.150.212]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F3A73A0953 for <dnsop@ietf.org>; Tue, 22 Feb 2022 16:12:40 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by util.redbarn.org (Postfix) with ESMTPS id 7830F1A2423; Wed, 23 Feb 2022 00:12:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=redbarn.org; s=util; t=1645575158; bh=krZ5erIvRy1PEhRwHVa+CXZIjWBlJJR/CBEiV3+uKCw=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=eGtQL+cCGP7qIZTejdzKgiY/Nb2uYyp+cTCZE/dF+IeNSeSbVVTh+dWqJxl97Ugad yPcokRGBDJCovz6FCKyZ4P3L1gtP2sDKBKwtLTPG30Gk5fDvlusPWQSuh/eA8AtKsi FJiaT5XzvMKxj2lHu20jmkyHP3fOrrgpMCBVu7XI=
Received: from [24.104.150.142] (unknown [24.104.150.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 0D6A07597E; Wed, 23 Feb 2022 00:12:35 +0000 (UTC)
To: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>, Wes Hardaker <wjhns1@hardakers.net>
References: <163777315136.16773.10633006296842101587@ietfa.amsl.com> <4e4527b6-b0b3-33f3-3849-8a593fe29a1d@nic.cz> <ybly22j7m5m.fsf@w7.hardakers.net> <95a4103b-dd26-17ba-d4dd-ac82b2bd510f@nic.cz> <B5A5CA65-E1C0-4EE1-B7C7-F14374EB5955@apnic.net> <224294e9-4934-092a-6d28-a40d42be689a@nic.cz>
From: Paul Vixie <paul@redbarn.org>
Message-ID: <a4b8c736-3ddd-ff55-630d-ff5fd9a4f205@redbarn.org>
Date: Tue, 22 Feb 2022 16:12:33 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/7.0.54
MIME-Version: 1.0
In-Reply-To: <224294e9-4934-092a-6d28-a40d42be689a@nic.cz>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/wo-yKTrwIqjh-v4HPNBmbzEjr2A>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec3-guidance-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Feb 2022 00:12:48 -0000


Vladimír Čunát wrote on 2022-02-22 14:56:
> On 22/02/2022 20.02, Geoff Huston wrote:
>> ...
> 
> I believe that the cleanest and least bug-prone way to implement this 
> sub-case is to simply ignore any NSEC3 records with iterations over the 
> limit.  You do not need to check any kind of signatures or any further 
> properties, as it's just trading one SERVFAIL for another SERVFAIL. ... 
> 
> I hope I've stated my argument clearly now.  Thanks for bearing with me.

+1.

-- 
P Vixie

v2.23.0 | Report a Bug | By Email